Medivo Business Associate Agreement
This Business Associate Agreement is entered into by Medivo Inc. (together with affiliates, and their agents, service providers and reprsentatives, “Business Associate”) in favor of the physician who has agreed to participate in program(s) administered by Business Associate to help improve patient care (herein referred to as “Covered Entity”). Covered Entity and Business Associate shall collectively be known herein as the “Parties”. By providing the Program to Covered Entity, and receipt of the Program benefits, the Parties agree as follows.
WHEREAS, Covered Entity wishes to commence a relationship with Business Associate under one or more programs administered by Business Associate to help patients of the Covered Entity improve their healthcare (“Programs”; as used herein, the Health Insurance Portability and Accountability Act of 1996, including all pertinent regulations and Subtitle D of the Health Information Technology for Economic and Clinical Health Act, collectively, “HIPAA”); and
WHEREAS, in connection with the Program, Covered Entity and Business Associate may exchange Protected Health Information (“PHI”) as that term is defined under HIPAA; and
NOW THEREFORE, in consideration of the foregoing promises, and for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
For purposes of this Agreement, terms used but not otherwise defined will shall have the meanings ascribed to them under HIPAA.
II. USE OR DISCLOSURE OF PHI BY BUSINESS ASSOCIATE
Specifically, except as otherwise limited or provided in this Agreement, or required by law: Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity under the Program, provided that such use or disclosure would not violate the applicable relevant requirements of HIPAA as pertaining to Business Associate. Business Associate shall comply with the applicable relevant requirements of HIPAA as pertaining to Business Associate.
III. DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI
A. Limitations on Use or Disclosure of PHI. Business Associate shall not use or disclose PHI other than as permitted or required under the Program, this Agreement or as required or permitted by law, provided Business Associate may (a) use and disclose PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, and (b) provide data aggregation or de-identification. Business Associate will use appropriate safeguards to prevent unauthorized use or disclosure of PHI.
B. Appropriate Safeguards. Business Associate shall implement and maintain administrative, physical and technical safeguards that reasonably and appropriately to protect the confidentiality, integrity and availability of electronic PHI that Business Associate receives from Covered Entity or that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity.
C. Designated Security Officer. Business Associate shall designate an individual to serve as Security Officer responsible for supervising Business Associate’s security and privacy programs, including but not limited to, administrative, physical, and technical safeguards, employed within the organization to prevent unauthorized use, disclosure, or access to PHI maintained by Business Associate on behalf of Covered Entity.
D. Business Associate’s Third Party Agreements. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to, in effect, the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
E. Duties of Business Associate Involving Breach or Unauthorized Access, Use or Disclosure of PHI
- Discovery of Breaches. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to the Business Associate, or by exercising reasonable diligence should have been known, to any person, other than the person committing the breach, who is an employee, officer or other agent of Business Associate (determined in accordance with the federal common law of agency).
- Notification of Covered Entity. Business Associate shall promptly notify the Covered Entity after discovery of any access, use or disclosure of PHI not permitted by this Agreement or the Program, any security incident involving electronic PHI and any breach of unsecured PHI of which Business Associate becomes aware and/or any actual or suspected use or disclosure of PHI in violation of any applicable federal or state laws or regulations. Business Associate shall take any prompt corrective action to cure any such deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
- Reporting Improper Access, Use or Disclosure. Business Associate shall provide reasonable information requested by Covered Entity as much as is possible and a complete report within ten (10) business days of discovery of a breach except when, despite all reasonable efforts of Business Associate to obtain certain required information, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances, Business Associate shall provide to Covered Entity any missing information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach. Business Associate shall provide the Covered Entity with updates of information concerning the details of such breach and the final results of its risk assessment as required in Section E.4 as needed to ensure that such information remains current.
- Risk Assessment and Investigation. Business Associate shall perform an appropriate risk assessment immediately following the discovery of any unauthorized access, use or disclosure of PHI.
- Mitigation of Harm. In the event of an unauthorized use or disclosure of unsecured PHI, Business Associate shall mitigate, to the extent practicable, any harmful effects of said disclosures that are known to it, such as promptly obtaining reasonable assurance, in writing, from the recipient that the information will not be further used or disclosed or will be destroyed.
F. Records of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI. Should an individual make a request to Covered Entity for an accounting of disclosures of his or her PHI, Business Associate agrees to promptly provide Covered Entity, in a reasonable time and manner designated by Covered Entity with information to respond to the individual’s request.
G. Compliance Determinations. Business Associate shall make its internal practices, books, records, and any other material, including but not limited to, policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity upon reasonably request, relating to the use, disclosure, and safeguarding of PHI received from Covered Entity, available to the Covered Entity, or to the Secretary of Health and Human Services or other regulatory agency, for the purpose of determining compliance with HIPAA.
H. Legal Notifications. Business Associate shall immediately notify Covered Entity if Business Associate is required by law to disclose any of the PHI. Business Associate will notify Covered Entity promptly in writing so that Covered Entity may seek a protective order or other appropriate remedy or, in its sole discretion, waive compliance with the terms of this Agreement. In the event that no such protective order or other remedy is obtained, or that Covered Entity waives compliance with the terms of this Agreement, Business Associate will furnish only that portion of the PHI which it is advised by counsel is legally required.
K. Permitted Disclosures. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed.
IV. TERM AND TERMINATION
A. Term. The Term of this Agreement shall be effective as of the date the Program is effective, and shall terminate until the Program’s termination or completion. Upon termination, all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, shall be destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections shall continue to be extended to such information.
B. Termination for Cause. Upon material breach of this Agreement by Business Associate, Covered Entity shall: provide a reasonable opportunity for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, terminate this Agreement; or immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.
C. Effect of Termination. Except as provided in this Section, upon termination of this Agreement, for any reason, Business Associate shall, subject to applicable law, immediately return or destroy, all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies of the Protected Health Information, except in encrypted back-up media. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
This Agreement may only be modified through a writing signed by the Business Associate. Business Associate may modify this Agreement with prior notice to Covered Entity. Such modification shall be effective upon such notice or posting. All limitations and disclaimers of Covered Entity in any instrument agreed by Covered Entity shall apply herein. This Agreement is governed by the laws of New York without regard to conflict of laws. This Agreement shall be binding upon the Parties and their successors and assigns. V1.1 (06.21.12)